Monday, April 7th, 2025
Hey, Cybersecurity Leaders! Here’s what you should know about NIS2!
As cybersecurity threats grow in scale and complexity, European regulations are evolving to keep up. The NIS2 Directive is a landmark update to cybersecurity legislation, aimed at strengthening digital defenses across the EU.
With a broader scope and stricter requirements than its predecessor, NIS2 demands serious attention from business, IT, and security leaders alike.
What is NIS2?
NIS2 (Directive (EU) 2022/2555) mandates a stronger approach to cybersecurity risk management across essential and important sectors—from healthcare and energy to digital infrastructure and public administration. It requires organizations to strengthen their cyber hygiene, improve incident reporting, and develop robust business continuity strategies.
But the path to compliance isn’t straightforward. By 2027, it’s expected that fewer than two-thirds of organizations will be fully compliant—primarily due to resource constraints, talent shortages, and variations in how member states implement the law.
Who’s Affected? Know Your Entity Classification
NIS2 introduces two categories of affected organizations—Essential and Important Entities—based on sector and size.
Entity Classification Table
| Category | Criteria | Example Sectors |
|---|---|---|
| Essential Entities | ≥ 250 employees OR turnover ≥ €50M OR balance sheet total ≥ €43M | Energy, transport, health, banking, digital infrastructure, water, public administration, space |
| Important Entities | ≥ 50 employees OR turnover ≥ €10M OR balance sheet total ≥ €10M | Manufacturing, food, postal/courier, waste, digital providers (search, marketplaces, social) |
Some countries (e.g., Croatia) have extended the directive to additional sectors like education. Check national implementation details.
Key Compliance Focus Areas
1. Cyber Risk Management
Effective risk management is the foundation of NIS2 compliance. Organizations are expected to implement a formal framework that includes:
- – Ongoing risk assessments
- – Risk registers and treatment plans
- – Cybersecurity training and awareness programs
- – Supply chain risk evaluation and controls
Building a mature, continuously monitored risk management practice is essential to mitigating threats and demonstrating compliance.
2. Corporate Accountability
NIS2 makes cybersecurity a board-level issue. Leadership is now directly accountable for organizational security, and in cases of noncompliance, executives may face fines or temporary bans.
To meet this requirement:
- – Educate management teams on cyber risks and responsibilities
- – Establish strong governance, oversight, and reporting frameworks
- – Embed cybersecurity into enterprise risk discussions
3. Incident Reporting
NIS2 enforces strict reporting obligations for security incidents. Organizations must report significant cyber incidents to their national cybersecurity authority within tight timelines.
To manage this:
- – Establish external communication channels with regulators
- – Develop internal incident detection, escalation, and reporting processes
- – Involve legal teams early to interpret and respond to localized regulatory nuances
4. Business Continuity
Business continuity planning is a cornerstone of NIS2. Cyber incidents must not cause prolonged service disruptions. Organizations should:
- – Conduct business impact analyses (BIAs)
- – Create and test continuity and disaster recovery plans
- – Coordinate with third parties and IT teams to protect critical operations
Ownership of these plans often lies with business units, but cybersecurity teams play a critical supporting role in aligning IT and business priorities.
NIS2 Reporting Requirements: What You Need to Do and When
One of the most critical obligations under NIS2 is timely reporting of significant cyber incidents.
| Requirement | Deadline | Notes |
|---|---|---|
| Initial Notification | Within 24 hours of becoming aware | Basic information on the incident and initial impact |
| Intermediate Report | Within 72 hours | More details on the cause, scope, and potential consequences |
| Final Report | Within 1 month | Root cause analysis, response, mitigation steps, and future prevention actions |
| Regulatory Communication | Ongoing | Maintain direct channels with competent authorities (e.g., CSIRTs) |
Quick NIS2 Compliance Cheat Sheet
| Area | Key Actions |
|---|---|
| Entity Classification | Determine if you’re an essential or important entity based on sector and size |
| Cyber Risk Management | Create a formal risk framework: assessments, registers, treatment plans |
| Governance | Make cybersecurity a board-level issue with executive accountability |
| Incident Reporting | Set up procedures to detect, escalate, and report incidents within mandated timeframes |
| Supply Chain Security | Evaluate and secure third-party risk |
| Business Continuity | Conduct BIAs, build disaster recovery and crisis plans |
| Training & Awareness | Provide regular cybersecurity training to management and staff |
| Legal Engagement | Work with legal teams to understand national implementation differences |
| Registration | Some organizations may need to self-register via government portals |
| Audits & Fines | Be prepared for inspections, fines, and—in severe cases—executive bans for noncompliance |
Need help with your NIS2 Compliance? Contact us a today for a free assessment.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.